Australia, as we’ve all pretty much discovered by now, has some of the most lax privacy protections on the planet. At the end of last year, it felt like every company under the sun was getting hacked, our personal data stolen, and our identities held for ransom.
Australians lose an estimated $2 billion each year to online scams and privacy breaches. Perhaps more concerning is the fact that 75% of our critical infrastructure — like energy operators — are “severely vulnerable” to cyber attack, according to a report by Microsoft last year. To add to this, poor online security leaves people vulnerable to online sexual exploitation, blackmail, and extortion.
It’s a hot mess. And part of the reason why it is so humid and disorderly is because much of our legal framework to keep people safe online is based on the arcane Privacy Act of the year of our lord 1988. Granted, the Act has been updated and amended in the 35 years since its passing, but still, the principles of the Act remain the guiding structure for how we are kept safe, or not, in 2023.
Now, that all might be about to change as Attorney-General Mark Dreyfus is set to release his department’s review of the Privacy Act. The review will put forward a series of reforms that attempt to modernise and revamp the whole thing to protect Australians in the current digital age.
“Large-scale data breaches of 2022 were distressing for millions of Australians, with sensitive personal information being exposed to the risk of identity fraud and scams,” Dreyfus said in a statement.
“The Australian people rightly expect greater protections, transparency and control over their personal information and the release of this report begins the process of delivering on those expectations”.
The review, which does not automatically become government policy, suggests that Aussie privacy rights could be remodelled on European Union ‘GDPR’ laws. These would give us greater control over who has access to our personal information and what they do with it.
If the new policy proposals end up becoming law, they could also allow Aussies to sue for privacy breaches, opt out of targeted ads, erase their data from company’s logs, and even be granted the ‘right to be forgotten.’
Small businesses, which are currently exempt from Privacy Act regulations, would be brought in line with the larger organisations over data protection and individual privacy. Political parties, however, will continue to be exempt from the laws, with only an increase in safety measures put in place, according to the proposals.
“The government is now seeking feedback on the 116 proposals in this report before deciding what further steps to take,” Dreyfus continued in his statement.
What Is GDPR?
If you’ve ever had to use the internet within Europe, you’ll no doubt be familiar with GDPR, or ‘general data protection regulation’.
In 2018, the European Union overhauled its patchwork of data privacy laws dating back to the 1990s, implementing a new, catch-all policy called GDPR. For most people, the result was having to tick a box every time you went to a new website asking if you wanted to be tracked by that website. Users have to be able to opt out of data tracking and cant be added to mailing lists without their consent.
It’s largely considered to be the world’s strongest set of data protection rules, containing almost 100 articles of law. It is made up of a whole range of guiding principles and rights, including the ability to request data on yourself from a company, the power to remove data from a company, and extra powers to fine companies for being in breach of the rules.
Google, for example, was fined €50 million ($77.5 million) by the French National Data Protection Commission for mishandling people’s information while not gaining their consent over what it was collecting. Just last month, WhatsApp was fined €5.5 ($8.5 million) by the Irish Data Protection Commission for similar breaches of the rules.
Will GDPR-Style Rules Work in Australia?
Look it’s better than nothing and certainly better than what we’ve currently got. Last year, the government ramped up the penalties for privacy breaches and mishandling of personal information. The fines for serious breaches of customer information increased from $2.2 million to $50 million, although no company has yet been stung by one of these increased fines. That being said, investigations into some breaches are still ongoing.
Still, it’s enough incentive for organisations to get their affairs in order. Last year it was revealed that large organisations like Medibank and Optus were storing records from customers who hadn’t been with them for years on wildly unsecured servers, leaking medical and passport information when they were hacked. These new, GDPR-style regulations would give people the right to remove that data before it is targeted.
In theory, the Office of the Australian Information Commissioner could be granted further oversight and compliance powers to enforce the new rules. However, the laws could also be used to restrict Australia’s already thin media protection rights by providing wealthy and powerful organisations and individuals further avenues to attack publications that print information about them they do not want to be made public.
Technology companies, for their part, have signalled that they are in favour of such legal changes and would welcome Australia being brought into alignment with European-style laws.
While the shift Deyfus has proposed is just a recommendation at the moment, it seems likely that the government will want to further enshrine citizens’ rights in the face of technological mismanagement.
“This is the first step in cleaning up the former government’s mess” Dreyfus said in 2022 when introducing the larger fines.
“Significant privacy breaches in recent months have shown existing safeguards are outdated and inadequate. These reforms make clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business”.